Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#36 a:domain/cidr does not work

open
nobody
5
2010-03-24
2010-03-24
Steve McKenna
No

An spf record of this format:
v=spf1 a:widget.com/24 -all
should cause widget.com to be looked up and the top 24 bits of all IP addresses returned for that address should be used in the spf check.
However the code actually tries to look up widget.com/24.

One fix is to modify function sm_marid_dir_a to work as follows:

Replace this block of code:
/* Scan trailing cidr length(s) */
if ( (s = expr->smx_cidr_s) != NULL
&& (e = expr->smx_cidr_e) != NULL)
{
sm_marid_scan_cidr(s, &e, &smf->smf_cidr_ip4,
&smf->smf_cidr_ip6);
}
else
{
smf->smf_cidr_ip4 = 32;
smf->smf_cidr_ip6 = 128;
}

s = expr->smx_value_s;
e = expr->smx_value_e;

/* Expand the value of the right-hand side */
tmp = sm_marid_domain_spec(context, s, e);

with the following block:

/* Scan trailing cidr length(s) */
smf->smf_cidr_ip4 = 32;
smf->smf_cidr_ip6 = 128;
if ( (s = expr->smx_value_s) != NULL
&& (e = expr->smx_value_e) != NULL)
{
if ( sm_marid_scan_cidr(s, &e, &smf->smf_cidr_ip4,
&smf->smf_cidr_ip6) == 0 )
{
// e now excludes the cidr
}
else
{
e = expr->smx_value_e;
}
}

/* Expand the value of the right-hand side */
tmp = sm_marid_domain_spec(context, s, e);

Note the code above isnt perfect as it needs to restrict the cidr check to strings that have a cidr in, otherwise the cidr scan could match
a domain ending in numbers (not sure thats legal, but it might be one day).

The root of the fault seems to be that the sm_marid_scan_expression call for the spf record locates the widget.com/24 but returns
the whole string as the result. rather than performing further analysis to find the cidr.

Note I think the mx/cidr code is also broken as its structured in the same way,

Discussion

  • Jeff Anton
    Jeff Anton
    2010-03-24

    If the problem is in the scanner, why not fix the scanner? That seems like a simpler fix to me then to run around to all the directives. The scanner even has the code... Just some wrong bracketing.. I'm sure there is a better fix...

     
  • Steve McKenna
    Steve McKenna
    2010-03-25

    I agree that the scanner is the right place to fix it, and that was the place I first looked at. However given that any changes to the scanner has a wider impact, and needs more testing, I went for the low risk option that gives me a workaround for our customer's spf1 record.
    The code snippet I provided above is far from perfect but it was included to demonstrate that the original code is wrong, given what the scanner currently does.

    Cheers, Steve